Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricting the validation to a set of URL #88

Closed
camlizo opened this issue Dec 12, 2015 · 7 comments
Closed

Restricting the validation to a set of URL #88

camlizo opened this issue Dec 12, 2015 · 7 comments

Comments

@camlizo
Copy link

camlizo commented Dec 12, 2015

Hi,

I need to tell HDIV framework to protect only a set of URL (against CSRF attacks)

So for the ValidatorFilter I was trying the following url pattern: /functional/*
but it seems not worikng because I'm getting a NullPointerException just like in issue #45.

With the global pattern /* it works fine but this is not my wish.

I will really appreciate your help to get this working
@fernandolozano
Copy link

Hello,

Try setting the pattern like this /functional/.*

I hope it helps

@camlizo
Copy link
Author

camlizo commented Dec 13, 2015

Thanks Fernando for replying.
I still get the same exception :(

Below some logs:
Initializing filter 'ValidatorFilter' [org.hdiv.filter.ValidatorFilter] [init() 172]
Filter 'ValidatorFilter' configured successfully
..
IDataComposer not initialized on request. Request doesn't pass through ValidatorFilter, review it's mapping [org.hdiv.urlProcessor.LinkUrlProcessor] [processUrl() 69]

@fernandolozano
Copy link

Could you share with us your hdiv-config.xml?

@camlizo
Copy link
Author

camlizo commented Dec 14, 2015

Here is the hdiv-config.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
   xmlns:hdiv="http://www.hdiv.org/schema/hdiv" 
   xsi:schemaLocation="http://www.springframework.org/schema/beans 
                       http://www.springframework.org/schema/beans/spring-beans-3.2.xsd 
                       http://www.hdiv.org/schema/hdiv 
                       http://www.hdiv.org/schema/hdiv/hdiv.xsd">

<hdiv:config excludedExtensions="css,png,gif,jpeg,jpg,js" confidentiality="false">
    <hdiv:startPages>/</hdiv:startPages>
    <hdiv:startPages>/index.jsp</hdiv:startPages>
</hdiv:config>
</beans>

Thanks again

@gillarramendi
Copy link
Member

In Struts, you have to configure ValidatorFilter mapping for all requests:

<url-pattern>/</url-pattern>

Then, use startPages to configure the sections of the page you don't want to secure.

@camlizo
Copy link
Author

camlizo commented Dec 14, 2015

Thanks Gotzon for this solution. Indeed it resolves my problem.
But one question : is there any performance issue about it?
Because I'm declaring around 50 pages as startPages.

@gillarramendi
Copy link
Member

Each start page is a java regex pattern that will be executed in every request.
I think 50 regex per request will not significantly increment the response time or cpu usage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gillarramendi @fernandolozano @camlizo